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Who Am I? 


=" 19 years old 

= Sophomore at the Rochester Institute of Technology 
= ^? Windows Internals 

= Mostly self-taught (with guidance) 

= Strong "Game Hacking" background 
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What Is This Talk About? 


In this talk, we'll go over... 

= Loading a rootkit. 

" Communicating with a rootkit. 

" Abusing legitimate network communications. 

= An example rootkit | wrote and the design choices behind it. 
= Executing commands from kernel. 

= Tricks to cover up the filesystem trace of your rootkit. 
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Introduction to 
Windows Rootkits 


Windows Rootkits: An Overview 


Why would you want to use a rootkit? 

=" Kernel drivers have significant access to the machine. 

= Same privilege level as a typical kernel anti-virus. 

"Less mitigations and security solutions targeting kernel malware. 


= Anti-Virus often have less visibility into operations performed by 
kernel drivers. 


= Kernel drivers are often ignored by anti-virus. 
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Example: Treatment by Anti-Virus 


Anti-virus tends to treat kernel drivers with significant trust compared 
to user-mode applications. 


Excerpt from Malwarebytes' Process/Thread Handle callbacks 


Excerpt from Carbon Black’s Process/Thread Handle callbacks 
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Loading a Rootkit 
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Abuse Legitimate Drivers 


There are a lot of "vulnerable" drivers. With some reversing 
knowledge, finding a “O-day” in a driver can be trivial. 


Examples include... 

= Capcom's Anti-Cheat driver 
= Intel’s NAL Driver 

= Microsoft themselves! 
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Abuse Legitimate Drivers 
Using legitimate drivers has quite a few benefits too: 
= You only need a few primitives to escalate privilege. 


" Finding a "vulnerable" driver is relatively trivial (OEM Drivers €). 
= Difficult to detect due to compatibility reasons. 
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Abuse Legitimate Drivers 


Abusing legitimate drivers comes with some strong drawbacks too... 


= Major issue of compatibility across operating system versions 
depending on the primitives you have. 


= Much more likely to run into stability issues. 


= The last thing you want is your malware to BSOD a victim. 
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Just Buy a Certificate! 


For some red teamers, buying a legitimate code signing certificate 
might be a good option. 


= Useful for targeted attacks. 

= No stability concerns. 

But... 

= Potentially reveals your identity. 
= Can be blacklisted. 
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Abuse Leaked Certificates 


Instead of buying a certificate yourself, why not just use one from 
someone else? 


=" There are quite a few public leaked certificates available to download 

= Almost has all the benefits of buying one without deanonymization. 

But... 

= The leaked certificate you use can be detected in the future. 

= |f the certificate was issued after July 29t, 2015, it won't work on 
secure boot machines running certain versions of Windows 10. 
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Abuse Leaked Certificates 


In most cases, Windows doesn't care if your driver has a certificate that 
has expired or was revoked. 


Administrator: Command Prompt — L1 x 


C:\VM Certificate Testing>sc create RevokedDriver binPath= "C:\VM Certificate General | gra ougnanres | Securty | Details | Previous Versions 
Testing\revoked.sys" type= kernel 
[SC] CreateService SUCCESS 


C:\VM Certificate Testing>sc start RevokedDriver 


Digital Signature Information 


SERVICE_NAME: RevokedDriver 49 A certificate was explicitly revoked by 
TYPE : 1 KERNEL DRIVER 
STATE : 4 RUNNING 
(STOPPABLE, NOT_PAUSABLE, IGNORES SHUTDOWN) 
WIN32_EXIT_CODE : 0 (0x0) 
SERVICE EXIT CODE : 0 (0x0) 
CHECKPOINT : 0x0 
WAIT HINT : 0x0 
PID =a, 
FLAGS - 
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Abuse Leaked Certificates 


Several leaked certificates are already publicly posted, but it's not 
impossible to find your own. 


1,631 of 3,976 million 87133 of 259794 
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Abuse Leaked Certificates 


Oh and the best part.... most of them are undetected by the bulk of AV: 
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Communicating with a Rootkit 
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Beacon Out to a C2 


A tried and true method that comes with some downsides is to "call 
home". 


=" Firewalls can block or flag outgoing requests to unknown/suspicious 
IP Addresses or ports. 


= Advanced Network Inspection can catch some exfiltration techniques 
that try to "blend in with the noise". 
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Open a Port 


Some malware takes the route that the C2 connects to the victim 
directly to control it. 


= Relatively simple to setup. 

But... 

" Could be blocked off by a firewall. 

= Difficult to "blend in with the noise". 
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Application Specific Hooking 


More advanced malware may opt to hook a specific application's 
communication as a channel of communication. 


= Difficult to detect, especially if using legitimate protocol. 
But... 


"It’s not very flexible. 


= A machine might not have that service exposed. 
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Choosing a Communication Method 


What | want... 
1. Limited detection vectors. 
2. Flexibility for various environments. 


My assumptions... 


1. Victims machines will have some services exposed. 
2. Inbound and outbound access may be monitored. 
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Choosing a Communication Method 


Application Specific Hooking was perfect for my needs, except for the 
flexibility. 


Is there anyway we could change Application Specific Hooking to where 
it isn’t dependent on any single application? 
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Abusing Legitimate Communication 


What if instead of hooking an application directly, we... 


= Hook network communication, similar to tools like Wireshark. 
= Place a special indicator in "malicious" packets, a "magic" constant. 


= Send these "malicious" packets to legitimate ports on the victim 
machine. 


= Search packets for this "magic" constant to pass on data to our 
malware. 
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Hooking the User-Mode Network Stack 
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Hooking the Windows Winsock Driver 


=" A significant amount of services on Windows can be found in user- 
mode, how can we globally intercept this traffic? 


= Networking relating to WinSock is handled by Afd.sys, otherwise 
known as the “Ancillary Function Driver for WinSock". 


= Reversing a few functions in mQswsock.dll revealed that a bulk of 
the communication was done through IOCTLs. If we could intercept 
these requests, we could snoop in on the data being received. 
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How Do Irps Know Where to Go? 


When you call NtDeviceloControlFile on a file handle to a device, 
how does the kernel determine what function to call? 


e devic e objet akasia 
is oGe tRelatedDevic 


Dispatch using 
M PU E—— — vero bject--FastloDispatch 
table 


Allocate and fill out an Irp Call loCallDriver to dispatch the Irp 
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Standard Methods of Intercepting Irps 


There are a few ways we can intercept Irps, but let's look at two 
common methods. 


1. Replace the Major Function you'd like to hook in the driver's object. 
2. Perform a code hook directly on the dispatch handler. 
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Picking a method 


To pick the best method of hooking, here are a few common questions 
you should ask. 


" How many detection vectors are you potentially exposed to? 


" How "usable" is the method? 
= How expensive would it be to detect the method? 
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Hook a Driver Object 


" How many detection vectors are you potentially exposed to? 
= Memory artifacts. 


= How "usable" is the method? 


= For stability, by replacing a single function with an interlocked exchange, this 
method should be stable. 


=" For compatibility, driver objects are well-documented and easy to find. 


= How expensive would it be to detect the method? 


= Inexpensive, all anti-virus would need to do is enumerate loaded drivers and 
check that the major functions are within the bounds of the driver. 
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Hook a Driver’s Dispatch Function 


" How many detection vectors are you potentially exposed to? 
= Memory artifacts. 
= How "usable" is the method? 
= Unless the function is exported, you will need to find the function yourself. 
= Not all drivers are compatible with this method due to PatchGuard. 
= HVCI incompatible. 
= How expensive would it be to detect the method? 
=" Potentially inexpensive and several methods to detect hooking. 
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Hooking File Objects 


| wanted a method that was... 

= Undocumented. 

= Stable. 

= Relatively expensive to detect. 


What if instead of hooking the original driver object, we hooked the file 
object instead? 
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How Do Irps Know Where to Go? 


To retrieve the device associated with the Afd driver, the kernel calls 
IoGetRelatedDeviceObject. 


typedef struct FILE OBJECT { 
CSHORT Type; 
CSHORT Size; 


PDEVICE OBJECT DeviceObject;| What's stopping us from 


overwriting this pointer? 
} FILE OBJECT; 
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Hooking File Objects 


What we can do is... 
1. Create our own device object and driver object. 
2. Patch our copy of the driver object. 


3. Replace the DeviceObject pointer of our file object with our own 
device. 


Let's talk about how we would go about doing this. 
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Hooking File Objects 


Let's start by finding a file object to hook. We're after handles to 
\Device\Afd, but how can we find these objects? 


ZwQuerySystemlnformation function 
05/31/2018 - 7 minutes to read - ^ à A Q 


typedef enum | SYSTEM INFORMATION CLASS 


Retrieves the specified system information. { 
omia SystemHandleInformation, 
= D cy eee 
Dom ) SYSTEM INFORMATION CLASS, 
“Inout_  PVOID - pus snp ie ct *PSYSTEM INFORMATION CLASS; 
Sins ULONG SystemInformationLength, 
_Out_opt_ PULONG ReturnLength 
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Hooking File Objects 


The SystemHandleInformation class allows us to query all handles 
on the system, including... 


= The process ID the handle belongs to. 
= The kernel pointer of the object associated with the handle. 


If we open the Afd device ourselves, we can easily recognize file objects 
that are for the Afd device. 
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Hooking File Objects 


Before we can overwrite the DeviceObject member, we need to create 
our fake objects first. Fortunately, the kernel exports the function it 
uses itself to create these objects. 


All we need to do is call OoCreateObject passing the 
IoDriverObjectType or IoDeviceObjectType to create our fake 
objects. 


We can copy the existing objects over to contain the same member 
values. 
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Hooking File Objects 


With our fake objects created, we're almost ready to set the 
DeviceObject of the file object. First though, we need to hook our 
driver object. 


We can use the standard "Hook a Driver Object" method, except 
instead of performing it on the original driver object, we'll use it on a 
fake driver object used exclusively for our hooks. 
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Hooking File Objects 


To prevent race conditions while replacing the device object member, 
the original device object we use inside of our hooked dispatch must be 
set at the same time we the DeviceObject member of the file object. 


To do this, simply perform an interlocked exchange of the original 
device object and the device object our hook uses. 


tomically hook the device object of the file. 


oldDeviceObject = RCAST«PDEVICE OBJECT»(InterlockedExchange64(RCAST«PLONG64» (&FileObject-»DeviceObject), RCAST<LONG64>(FileObjHook: :FakeDeviceObject))); 
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Hooking File Objects 


Now that we've hooked the file object, there is not much work left. 


In our dispatch hook, we need to... 


1. Checkif we are hooking the MajorFunction being called. 


1. Ifweare, call the hook function passing the original device object and 
original dispatch function for that MajorFunction. 


2. Make sure to restore the original DeviceObject when the 
MajorFunction is IRP MJ CLEANUP. 
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Hooking File Objects 


" How many detection vectors are you potentially exposed to? 
= Memory artifacts. 
" How "usable" is the method? 
= Most of the functions we use are at least semi-documented and unlikely to 
change significantly. 
" How expensive would it be to detect the method? 


=" Expensive, an anti-virus would have to replicate our hooking process and 
enumerate file objects to determine if the device/driver object was swapped. 
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How the Spectre Rootkit Abuses the 
User-Mode Network Stack 
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Abusing the Network 
Using the File Object hook, we can now intercept Irps to the Afd driver. 


This allows us to... 
= Intercept all user-mode networking traffic. 


= Send and receive our own data over any socket. 
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Abusing the Network 


To review, our existing plan is to... 
= Hook network communication, similar to tools like Wireshark. 
= Place a special indicator in "malicious" packets, a "magic" constant. 


= Send these "malicious" packets to legitimate ports on the victim 
machine. 


= Search packets for this "magic" constant to pass on data to our 
malware. 


How can we actually retrieve the content of packets that are received? 


Demystifying Modern Windows Rootkits - DEF CON 28 42 


[5X] Administrator: Command Prompt 


Abusing the Network 


For receive operations, an IOCTL with the code TOCTL AFD RECVis 
sent to the Afd driver. Here is the structure sent in the input buffer. 


typedef struct | AFD RECV INFO { 
PAFD WSABUF BufferArray; 

ULONG BufferCount; 

ULONG AfdFlags; 

ULONG TdiFlags; 

) AFD RECV INFO, * PAFD RECV INFO; 


typedef struct _AFD WSABUF { 
UINT len; 
PCHAR buf; 
} AFD WSABUF, * PAFD WSABUF ; 
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Parsing Packets: Design 


Let's talk about how the Spectre Rootkit was designed. 


Spectre Rootkit Packet Structure 


Any prepended data 
Magic Constant 
Base Packet Structure 


£ 


25 Eltypedef struct BASE PACKET 
26 { 
7 ULONG PacketLength; 
8 PACKET TYPE Type; 

) BASE PACKET, *PBASE PACKE 


NN PR L. 
i ` 


Optional Custom Structure 
Any appended data 
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// Indicates the type 


T3 


// The length of the packet. 


of packet. 


44 


Parsing Packets: Pre-Processing 


Here is the process used when the Spectre Rootkit receives a packet. 


Packet is Search buffer for Buffer contains 
received magic magic? 


Ignore packet 


Process Packet 
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Parsing Packets: Processing 


Before dispatching a packet, we need to create a complete packet. 


Use received data to 
populate a 
BASE PACKET 


Dispatch packet 
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Packet Handlers 


Before we go any further, let's talk about the concept of "Packet 


Handlers" in the Spectre Rootkit. 


Eltypedef class PacketHandler 
f 


i 
protected: 


E] 
// It can also be used to dispatch a new packet. 


PPACKET DISPATCH PacketDispatch; 
public: 
PacketHandler ( 
.In PPACKET DISPATCH Dispatcher 
E 


virtual NTSTATUS ProcessPacket ( 
.In PBASE PACKET FullPacket 
) = 0; 

| } PACKET HANDLER, *PPACKET HANDLER; 
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// The packet dispatcher is used for sending and receiving network messages. 
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Packet Handlers 


An example of a packet handler included with the Spectre Rootkit is the 
PingPacketHandler. This handler is used to determine if a 
machine/port is infected. 


The incoming packet has no actual data, other than indicating its Type 
is a Ping. The handler responds to the client with an empty base 
packet with the Type set to Ping. 
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Parsing Packets: Dispatching 


Once a packet is completely populated, the "packet dispatcher" will... 


Allocate packet Call the packet 
handler based on — sees. handlers 
packet Type ProcessPacket 


Free the packet 


handler 


Here’s why the “packet dispatcher” is awesome: by passing a pointer to 
itself to the relevant packet handler, that packet handler can recursively 
dispatch a new packet! 
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Packet Handlers: XorPacketHandler 


The best way to explain the recursive nature of the "packet dispatcher' 


is through an example, such as the XorPacketHandler. 


The XorPacketHandler takes a XOR PACKET structure: 


48 Eltypedef struct  XOR PACKET 


41 { 

42 BASE PACKET Base; // Contains standard information about the packet. 
43 BYTE XorKey; // The XOR key used to obfuscate the packet. 

44 BYTE XorContent[1]; // The XOR'd packet to dispatch. 

45 ] XOR PACKET, *PXOR PACKET; 


This XOR PACKET does not actually perform a malicious operation. 
Instead, it acts as an encapsulating packet. 
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" 


Packet Handlers: XorPacketHandler 
When the XorPacketHandler receives a packet, it will... 
1. Use the XorKey to deobfuscate the XorContent. 


2. Recursively dispatch the XorContent as a new packet. 


The model that the Spectre Rootkit uses allows you to create infinite 
layers of encapsulation. 
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Executing Commands 


Let's take a look at how we can execute commands from our rootkit, a 
common feature seen in a variety of Windows malware. 


Before we get into starting a process from a kernel driver, it's important 
to understand how we would execute commands from a user-mode 


context. 
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Executing Commands: User-mode 


Preparation 


Create a STARTUPINFO 
structure 


Create an unnamed pipe 


| Process Creation 


CreateProcess WaitForSingleObject 


Read Output 


ReadFile 
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Executing Commands: Kernel-mode 


Let’s start by creating the pipes we need to obtain output. 
Here is what CreatePipe does in the background... 


CreatePipe 


Open 
\Device\NamedPipe 


Create ObjectAttributes Ww d NiCreateNamedPipeFile 


NtOpenFile on pipe 
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Executing Commands: Kernel-mode 


Now that we have pipes, we need to create the actual process. We'll 
use ZuCreateUserProcess because that's what kernelbase.dll 
uses itself to create processes. 


Let's start with the attribute list for the process. 


= The most important attribute we have to set is the 
PsAttributelmageName attribute. This will specify the image file name 
for the new process. 
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Executing Commands: Kernel-mode 


Next, we have to fill out an RTL USER PROCESS PARAMETERS 
structure for the process. 


In this structure, we need to set... 
1. The window flags and the output handles to our pipes. 


2. The current directory, the command line arguments, the process 
image path, and the default desktop name. 
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Executing Commands: Kernel-mode 


From there, all it takes is a call to ZwCreateUserProcess to start the 
process. 


Once the process has exited, similar to what we do in user-mode, we 
can call ZwReadFile to read the output from the unnamed pipe. 
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Hiding a Rootkit 
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Introduction to Mini-Filters 


Mini-filter drivers allow you to attach to volumes and intercept certain 
file I/O. This is performed by registering with the Filter Manager driver. 


User request for file I/O 


Hardware 


Source: Microsoft Docs 
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Introduction to Mini-Filters 


Mini-filters can be useful to mask the presence of our rootkit on the 
filesystem. 


For example, a mini-filter can direct all file access for a certain file to 
another file. We can use this functionality to redirect access to our 
driver file to another legitimate driver. 
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Picking a method 


To pick the best method of hooking, here are a few common questions 
you should ask. 


" How many detection vectors are you potentially exposed to? 


" How "usable" is the method? 
= How expensive would it be to detect the method? 
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Become a Mini-Filter 


The easiest way to abuse the functionality of a mini-filter is to become 
one yourself. Here are the minimum requirements for 


FltRegisterFilter: 

1. Create [ServiceKey]Mnstances 

2. Create [ServiceKey]\Instances\[An instance name] 

3. In [ServiceKey]\Instances add a "Defaultlnstance" and set it to your 
instance name used in step 2. 

4. In [ServiceKey]\Instances\[An instance name], add the "Altitude" 


and "Flags" values. 
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Become a Mini-Filter 


" How many detection vectors are you potentially exposed to? 
= Registry and memory artifacts. 
= How "usable" is the method? 
= No concerns from stability or usability, this is how other legitimate drivers 
register as mini-filters. 
" How expensive would it be to detect the method? 


= Inexpensive. Besides the registry artifacts, drivers that are registered as mini- 
filters can easily be enumerated through API such as 
FltEnumerateFilters. 
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Hook a Mini-Filter 


Another method is to simply hook an existing mini-filter. There are a 
couple of routes you could take. 


= Code hook the callback for an existing filter. 


= Overwrite the FLT REGISTRATION structure before the victim driver 
uses it to have your own callback. 


= DKOM an existing filter instance and replace the original callback with 
yours. 
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Hook a Mini-Filter: Code Hook 


One of the easiest way to intercept callbacks to an existing mini-filter is 
to simply perform a code hook. 


This can be as simple as a jmp hook, but it comes with quite a few 
drawbacks, similar to those we saw in an earlier section where we 
discussed intercepting Irps. 


Demystifying Modern Windows Rootkits - DEF CON 28 65 


Hook a Mini-Filter: Code Hook 


" How many detection vectors are you potentially exposed to? 
= Memory artifacts. 
= How "usable" is the method? 
= Unless the function is exported, you will need to find the function yourself. 
= Not all drivers are compatible with this method due to PatchGuard. 
= HVCI incompatible. 
= How expensive would it be to detect the method? 
=" Potentially inexpensive and several methods to detect hooking. 
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Hook a Mini-Filter: DKOM 


A semi-documented method of hooking an existing mini-filter is 
through DKOM. 


You can enumerate filters and instances through the documented APIs 
FltEnumerateFilters and FltEnumerateInstances. 


The function that gets called for a certain operation is specified in the 
CallbackNodes array in the FLT INSTANCE structure. 
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Hook a Mini-Filter: DKOM 


= The Cal lbackNodes array index is associated with the major 


function you're hooking. 


kd» dt fltmgr! FLT INSTANCE 
-ü0xü000 Base : | FLT. OBJECT 


+0x030 OperationRundownRef : Ptr64 EX RUNDOWN REF CAC 


-0x038 Volume : Ptr64  FLT VOLUME 
+0x040 Filter : Ptr64 FIT FILTER 
+0x048 Flags : _FLT_INSTANCE FLAGS 
+0x050 Altitude : _UNICODE_ STRING 


+0x060 Name ; _UNICODE_STRING 
+0070 FilterLink : _LIST_ENTRY 

+0080 ContextLock ; EX PUSH LOCK 

-0x088 Context : Ptr64 CONTEXT NODE 
+0x090 TransactionContexts : CONTEXT LIST CTRL 


+0095 TrackCompletionNodes . Ptr&4 TRACK COMPLETION ODES 


xüxüaü CallbackNodes : [50] Ptr64 CALLBACK NODE 


kd» dt[fltmgr! CALLBACK NODE 

+0x090 CallbackLinks : _LIST_ENTRY 

+010 Instance : Ptr64 _FLT_INSTANCE 

Ju x018 PreOperation : Ptr&4  FLT PREOP CALLBACK STATUS 
-0x020 PostOperation : Ptr64 _FLT_POSTOP_CALLBACK STATUS 


-0x018 GenerateFileName : Ptr64 long 

+0x018 NormalizeNameComponent : Ptr64 long 
+0x018 NormalizeNameComponentEx : Ptr64 long 
+0x020 NormalizeContextCleanup : Ptr64 void 
+0x028 Flags : _CALLBACK NODE FLAGS 
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Hook a Mini-Filter: DKOM 


" How many detection vectors are you potentially exposed to? 
= Memory artifacts. 


= How "usable" is the method? 


= For stability, although obtaining a FLT INSTANCE structure is documented, 
the FLT INSTANCE structure itself is undocumented. 


= How expensive would it be to detect the method? 


= Inexpensive, an anti-virus would need to occasionally enumerate registered 
filters and their instances for hooks in the Cal LbackNodes array. 
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Example: Abusing a Mini-Filter 


Let's say you want to protect a certain file, what's an example of 
redirecting access to it? 


Use FitGetFileNameinformation to get a Path contains Ignore and return 
normalized file path protected file? FLT PREOP SUCCESS NO CALLBACK 


Replace path of FileObject 


using loReplaceFileObjectName EE >et OStatus. Status to STATUS REPARSE ue Return FLT PREOP COMPLETE 
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Wrap Up 
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Thanks to... 


Alex lonescu (@aionescu) 


= Long-time mentor very experienced with Windows Internals. 


ReactOS 
2 A fantastic reference for undocumented functions and structures. 


Nemanja Mulasmajic (@OxNemi) and Vlad lonescu (@ucsenoi) 
= Helped review this presentation. 


Demystifying Modern Windows Rootkits - DEF CON 28 72 


Contact / Questions 


Thanks for sticking around! Now is the time for any questions. 


Twitter 

@ BillDemirkapi 

Blog 

https://billdemirkapi.me 

Spectre Rootkit 
https://github.com/D4stiny/spectre 
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